Original SRP-1 Protocol Design

SRP is the newest addition to a new class of strong authentication protocols that resist a set of traditional passive and active attacks once thought to be unstoppable. This class of protocols started with EKE, and nearly all its members are at least partially derived from it. SRP, however, is not directly related to EKE. Instead, it borrows some elements from other key-exchange and authentication protcols and adds some subtle modifications and refinements. The result is a protocol that combines all the strength of the EKE family with a few additional properties that no single protocol has matched to date.

  N    A large safe prime (N = 2q+1 where q is prime).
       All arithmetic is done modulo N.
  g    A primitive root of GF(N).  Also known as a "generator".
  s    User's salt
  u    Username
  P    Cleartext Password
  H()  One-way hash function
  ^    (Modular) Exponentiation
  Ws,Ys   Secret values
  Wp,Yp   Public values
  Xs   Salted and hashed password
  Xp   Password verifier
The host stores passwords using the following formula:
  Xs = s * H(P)              (s is chosen randomly)
  Xp = g ^ Xs                (computes password verifier)
The host then keeps {u, s, Xp} in its password database. The authentication protocol itself goes as follows:
User -> Host:  u, Wp = g ^ Ws          (identifies self, Ws = random number)
        Host:  Yp = g ^ Ys             (Ys = random number)
Host -> User:  s, Z = Xp + Yp          (sends salt, adds verifier to residue)

        User:  Xs = s * H(P)           (user enters password)
        User:  Xp = g ^ Xs             (computes verifier)
        User:  Yp = Z - Xp             (recovers Yp from message)
        User:  S = Yp ^ (Ws + Xs)      (computes session key)
        User:  K = H(S)

        Host:  S = (Wp * Xp) ^ Ys      (computes session key)
        Host:  K = H(S)
Now the two parties have a shared, strong session key K. To complete authentication, they need to prove to each other that their keys match. One possible way:
User -> Host:  H(Z, K)                 (hash with host's value)
Host -> User:  H(Wp, K)                (hash with user's value)
The two parties also employ the following safeguards:
  1. The user will abort if he receives Z == 0 (mod N).
  2. The host will abort if it detects that Wp * Xp == {-g, -1, 0, 1, g} (mod N).
  3. The user must show his proof of K first. If the server detects that the user's proof is incorrect, it must abort without showing its own proof of K.
This protocol is vulnerable to an attack using a stolen verifier. A newer version of SRP has been designed to resist the attack.